Managing Container Registries

Overview

Manage container registries across Docker Hub, AWS ECR, GCP Artifact Registry, Azure ACR, and self-hosted registries (Harbor, Nexus). Automate image tagging, lifecycle policies, cross-region replication, vulnerability scanning integration, and access control for container image storage and distribution.

Prerequisites

Docker CLI installed and authenticated to the target registry
Cloud provider CLI (aws, gcloud, az) for managed registries
Registry credentials configured (docker login or credential helpers)
Understanding of image naming conventions (registry/namespace/image:tag)
IAM permissions for registry operations (push, pull, delete, admin)

Instructions

Identify the target registry type: ECR, Artifact Registry, ACR, Docker Hub, or self-hosted
Configure authentication: set up credential helpers for automated access (docker-credential-ecr-login, gcloud auth configure-docker)
Define image naming and tagging strategy: use semantic versioning for releases, git SHA for CI builds, latest only for development
Create repository/namespace structure organized by team, application, or environment
Configure lifecycle policies to auto-delete untagged images and images older than retention threshold (e.g., keep last 10 tagged images, delete untagged after 7 days)
Set up vulnerability scanning: enable automatic scanning on push (ECR scan-on-push, GCP Container Analysis)
Configure cross-region replication for disaster recovery and latency reduction
Implement access control: read-only for CI pull, push access for CI build agents, admin for operators
Generate Terraform/IaC for registry infrastructure and policies

Output

Terraform/CloudFormation for registry creation with lifecycle and replication policies
Docker credential helper configuration scripts
CI/CD pipeline steps for building, tagging, and pushing images
Lifecycle policy JSON (ECR) or cleanup scripts (Docker Hub, Harbor)
RBAC configurations for registry access control

Error Handling

Error	Cause	Solution
`denied: requested access to the resource is denied`	Missing push/pull permissions or expired token	Re-authenticate with `docker login` or refresh credential helper; verify IAM policies
`manifest unknown: manifest unknown`	Image tag does not exist in the registry	Verify image name and tag; check if lifecycle policy deleted the image
`no space left on device` during push	Registry storage quota exceeded	Increase quota, run lifecycle cleanup, or delete unused images
`unauthorized: authentication required`	Credential helper not configured or token expired	Set up credential helper (`aws ecr get-login-password`, `gcloud auth configure-docker`)
`toomanyrequests: rate limit exceeded`	Docker Hub pull rate limit hit	Use authenticated pulls, mirror images to private registry, or upgrade Docker Hub plan

Examples

"Set up an AWS ECR repository with scan-on-push enabled, lifecycle policy to keep last 20 tagged images, and cross-region replication to us-west-2."
"Configure GCP Artifact Registry with Docker credential helper and a cleanup policy for images not pulled in 90 days."
"Create a CI pipeline step that builds a Docker image, tags it with the git SHA and latest, pushes to ECR, and fails if Critical vulnerabilities are found."

Resources

AWS ECR: https://docs.aws.amazon.com/AmazonECR/latest/userguide/
GCP Artifact Registry: https://cloud.google.com/artifact-registry/docs
Azure ACR: https://learn.microsoft.com/en-us/azure/container-registry/
Harbor registry: https://goharbor.io/docs/
Docker Hub: https://docs.docker.com/docker-hub/

managing-container-registries